Most IT pros consider compliance a hassle. Yet the
tools of compliance can empower security technologies and simplify risk
management. Better yet, some of those tools are free.

Many organizations must comply with regulations such as HIPAA,
and the numbers are growing, fueled by constantly evolving legislation
that creates new rules, requirements and auditing procedures.
Compliance requirements are often seen as an unnecessary burden that
was legislated into existence to protect external entities. However,
properly enforced compliance policies can protect organizations from a
myriad of problems – ranging from security breaches to lawsuits to
corporate espionage.

Compliance's Relationship to Security

Compliance has a symbiotic relationship with the procedures and
requirements dictated by computer security. Compliance, like security,
is all about managing risk. The risk associated with compliance failures
can include financial impact (fines), data loss (intrusions), lost
business (customer impacts) or even a suspension of operations.

The risks associated with a failure to properly secure IT are
similar, if not identical. The only major difference is that most
security practices are optional, while compliance practices are
required.
While it is easy to see how security and compliance go hand in hand
with risk management, the realization does nothing to ease the burdens
of compliance and security. It does, however, give some insight into how
those burdens can be reduced. Unifying risk management, security
management and risk management can lead to an economy of scale, creating
efficiencies that lessen the burdens imposed, both in time and budgets.

How Tools Can Help

However, it takes more than an ideology of unification to solve those
problems; it takes tangible elements as well – starting with the proper
tools. Unified security management tools that offer integration and
management modules can often combine risk management, compliance
initiatives and security controls into a single managed element,
converting compliance to little more than an extension of policy-based
security enforcement.
With the proper tool set, compliance management and risk management
can become natural extensions of security management, offering managers a
clear path to establishing compliance, protecting data and enforcing
policy. That holistic approach will reduce costs, while enhancing the
benefits of all three.
The market has become all but flooded with compliance tools, yet few
of those tools include all of the needed capabilities to combine
compliance management with other security capabilities, such as
intrusion detection and prevention systems (IDPS), next generation firewall (NGFW), anti-malware and so on. All of these are rapidly becoming a concern for organizations charged with compliance regulations.
With that in mind, it becomes clear that IT managers may have to
build their own solutions and integrate off-the-shelf products with
other solutions. Luckily for those choosing a path of self-development,
several free tools can become part of an integrated solution. In no
particular order, here are five tools that can help IT pros seeking to
comply with various regulations:

www.glpi-project.org: A
free, open source tool, GLPI offers IT and asset management
capabilities. After all, a good inventory is the first step in seeing
what needs to be secured.

www.ptatechnologies.com:
A free toolset that is driven by the methodology of effectively
managing operational and infosec risks in complex systems using
calculative threat analysis and threat modeling.

www.somap.org: The ORICO
Framework and Tool are two projects in one, offering risk management and
the toolset to build a reference implementation of a security
framework.